'\" t
.\"     Title: IPSEC_SPI
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 23 Oct 2001
.\"    Manual: [FIXME: manual]
.\"    Source: [FIXME: source]
.\"  Language: English
.\"
.TH "IPSEC_SPI" "8" "23 Oct 2001" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ipsec_spi \- manage IPSEC Security Associations
.SH "SYNOPSIS"
.PP
Note: In the following,
.HP \w'\fB<SA>\fR\fB<life>\fR\fB<SA>\fR\ 'u
\fB<SA>\fR \fImeans:\fR \-\-af \fI(inet\ |\ inet6)\fR \-\-edst \fIdaddr\fR \-\-spi \fIspi\fR \-\-proto \fIproto\fR \fIOR\fR \-\-said \fIsaid,\fR
.br
\fB<life>\fR \fImeans:\fR \-\-life \fI(soft\ |\ hard)\fR allocations | \fIbytes\fR | \fIaddtime\fR | \fIusetime\fR | \fIpackets\fR | [value...] \fB<SA>\fR \-\-src \fIsrc\fR \-\-ah \fI(hmac\-md5\-96\ |\ hmac\-sha1\-96)\fR [\-\-replay_window\ \fIreplayw\fR] [\fI<life>\fR] \-\-authkey \fIakey\fR
.br
\fIipsec\fR \fIspi\fR \fI<SA>\fR \-\-src \fIsrc\fR \-\-esp \fI(3des\ |\ 3des\-md5\-96\ |\ 3des\-sha1\-96)\fR [\-\-replay_window\ \fIreplayw\fR] [\fI<life>\fR] \-\-enckey \fIekey\fR
.br
\fIipsec\fR \fIspi\fR \fI<SA>\fR \-\-src \fIsrc\fR \-\-esp [\-\-replay_window\ \fIreplayw\fR] [\fI<life>\fR] \-\-enckey \fIekey\fR \-\-authkey \fIakey\fR
.br
\fIipsec\fR \fIspi\fR \fI<SA>\fR \-\-src \fIsrc\fR \-\-comp \fIdeflate\fR
.br
\fIipsec\fR \fIspi\fR \fI<SA>\fR \-\-ip4 \-\-src \fIencap\-src\fR \-\-dst \fIencap\-dst\fR
.br
\fIipsec\fR \fIspi\fR \fI<SA>\fR \-\-ip6 \-\-src \fIencap\-src\fR \-\-dst \fIencap\-dst\fR
.br
\fIipsec\fR \fIspi\fR \fI<SA>\fR \-\-del
.br
\fIipsec\fR \fIspi\fR \-\-help
.br
\fIipsec\fR \fIspi\fR \-\-version
.br
\fIipsec\fR \fIspi\fR \-\-clear
.br

.SH "DESCRIPTION"
.PP
\fISpi\fR
creates and deletes IPSEC Security Associations\&. A Security Association (SA) is a transform through which packet contents are to be processed before being forwarded\&. A transform can be an IPv4\-in\-IPv4 or an IPv6\-in\-IPv6 encapsulation, an IPSEC Authentication Header (authentication with no encryption), or an IPSEC Encapsulation Security Payload (encryption, possibly including authentication)\&.
.PP
When a packet is passed from a higher networking layer through an IPSEC virtual interface, a search in the extended routing table (see
\fBipsec_eroute\fR(8)) yields an effective destination address, a Security Parameters Index (SPI) and a IP protocol number\&. When an IPSEC packet arrives from the network, its ostensible destination, an SPI and an IP protocol specified by its outermost IPSEC header are used\&. The destination/SPI/protocol combination is used to select a relevant SA\&. (See
\fBipsec_spigrp\fR(8)
for discussion of how multiple transforms are combined\&.)
.PP
The
\fIaf\fR,
\fIdaddr\fR,
\fIspi\fR
and
\fIproto\fR
arguments specify the SA to be created or deleted\&.
\fIaf\fR
is the address family (inet for IPv4, inet6 for IPv6)\&.
\fIDaddr\fR
is a destination address in dotted\-decimal notation for IPv4 or in a coloned hex notation for IPv6\&.
\fISpi\fR
is a number, preceded by \'0x\' for hexadecimal, between
\fB0x100\fR
and
\fB0xffffffff\fR; values from
\fB0x0\fR
to
\fB0xff\fR
are reserved\&.
\fIProto\fR
is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol\&. The protocol must agree with the algorithm selected\&.
.PP
Alternatively, the
\fIsaid\fR
argument can also specify an SA to be created or deleted\&.
\fISaid\fR
combines the three parameters above, such as: "tun\&.101@1\&.2\&.3\&.4" or "tun:101@1:2::3:4", where the address family is specified by "\&." for IPv4 and ":" for IPv6\&. The address family indicators substitute the "0x" for hexadecimal\&.
.PP
The source address,
\fIsrc\fR, must also be provided for the inbound policy check to function\&. The source address does not need to be included if inbound policy checking has been disabled\&.
.PP
Keys vectors must be entered as hexadecimal or base64 numbers\&. They should be cryptographically strong random numbers\&.
.PP
All hexadecimal numbers are entered as strings of hexadecimal digits (0\-9 and a\-f), without spaces, preceded by \'0x\', where each hexadecimal digit represents 4 bits\&. All base64 numbers are entered as strings of base64 digits (0\-9, A\-Z, a\-z, \'+\' and \'/\'), without spaces, preceded by \'0s\', where each hexadecimal digit represents 6 bits and \'=\' is used for padding\&.
.PP
The deletion of an SA which has been grouped will result in the entire chain being deleted\&.
.PP
The form with no additional arguments lists the contents of /proc/net/ipsec_spi\&. The format of /proc/net/ipsec_spi is discussed in ipsec_spi(5)\&.
.PP
The lifetime severity of
\fBsoft\fR
sets a limit when the key management daemons are asked to rekey the SA\&. The lifetime severity of
\fBhard\fR
sets a limit when the SA must expire\&. The lifetime type
\fBallocations\fR
tells the system when to expire the SA because it is being shared by too many eroutes (not currently used)\&. The lifetime type of
\fBbytes\fR
tells the system to expire the SA after a certain number of bytes have been processed with that SA\&. The lifetime type of
\fBaddtime\fR
tells the system to expire the SA a certain number of seconds after the SA was installed\&. The lifetime type of
\fBusetime\fR
tells the system to expire the SA a certain number of seconds after that SA has processed its first packet\&. The lifetime type of
\fBpackets\fR
tells the system to expire the SA after a certain number of packets have been processed with that SA\&.
.SH "OPTIONS"
.PP
\fB\-\-af\fR
.RS 4
specifies the address family (inet for IPv4, inet6 for IPv6)
.RE
.PP
\fB\-\-edst\fR
.RS 4
specifies the effective destination
\fIdaddr\fR
of the Security Association
.RE
.PP
\fB\-\-spi\fR
.RS 4
specifies the Security Parameters Index
\fIspi\fR
of the Security Association
.RE
.PP
\fB\-\-proto\fR
.RS 4
specifies the IP protocol
\fIproto\fR
of the Security Association
.RE
.PP
\fB\-\-said\fR
.RS 4
specifies the Security Association in monolithic format
.RE
.PP
\fB\-\-ah\fR
.RS 4
add an SA for an IPSEC Authentication Header, specified by the following transform identifier (\fBhmac\-md5\-96\fR
or
\fBhmac\-sha1\-96\fR) (RFC2402, obsoletes RFC1826)
.RE
.PP
\fBhmac\-md5\-96\fR
.RS 4
transform following the HMAC and MD5 standards, using a 128\-bit
\fIkey\fR
to produce a 96\-bit authenticator (RFC2403)
.RE
.PP
\fBhmac\-sha1\-96\fR
.RS 4
transform following the HMAC and SHA1 standards, using a 160\-bit
\fIkey\fR
to produce a 96\-bit authenticator (RFC2404)
.RE
.PP
\fB\-\-esp\fR
.RS 4
add an SA for an IPSEC Encapsulation Security Payload, specified by the following transform identifier (\fB3des\fR, or
\fB3des\-md5\-96\fR
(RFC2406, obsoletes RFC1827)
.RE
.PP
\fB3des\fR
.RS 4
encryption transform following the Triple\-DES standard in Cipher\-Block\-Chaining mode using a 64\-bit
\fIiv\fR
(internally generated) and a 192\-bit 3DES
\fIekey\fR
(RFC2451)
.RE
.PP
\fB3des\-md5\-96\fR
.RS 4
encryption transform following the Triple\-DES standard in Cipher\-Block\-Chaining mode with authentication provided by HMAC and MD5 (96\-bit authenticator), using a 64\-bit
\fIiv\fR
(internally generated), a 192\-bit 3DES
\fIekey\fR
and a 128\-bit HMAC\-MD5
\fIakey\fR
(RFC2451, RFC2403)
.RE
.PP
\fB3des\-sha1\-96\fR
.RS 4
encryption transform following the Triple\-DES standard in Cipher\-Block\-Chaining mode with authentication provided by HMAC and SHA1 (96\-bit authenticator), using a 64\-bit
\fIiv\fR
(internally generated), a 192\-bit 3DES
\fIekey\fR
and a 160\-bit HMAC\-SHA1
\fIakey\fR
(RFC2451, RFC2404)
.RE
.PP
\fB\-\-replay_window\fR replayw
.RS 4
sets the replay window size; valid values are decimal, 1 to 64
.RE
.PP
\fB\-\-life\fR life_param[,life_param]
.RS 4
sets the lifetime expiry; the format of
\fBlife_param\fR
consists of a comma\-separated list of lifetime specifications without spaces; a lifetime specification is comprised of a severity of
\fBsoft\fR
or
\fBhard\fR
followed by a \'\-\', followed by a lifetime type of
\fBallocations\fR,
\fBbytes\fR,
\fBaddtime\fR,
\fBusetime\fR
or
\fBpackets\fR
followed by an \'=\' and finally by a value
.RE
.PP
\fB\-\-comp\fR
.RS 4
add an SA for IPSEC IP Compression, specified by the following transform identifier (\fBdeflate\fR) (RFC2393)
.RE
.PP
\fBdeflate\fR
.RS 4
compression transform following the patent\-free Deflate compression algorithm (RFC2394)
.RE
.PP
\fB\-\-ip4\fR
.RS 4
add an SA for an IPv4\-in\-IPv4 tunnel from
\fIencap\-src\fR
to
\fIencap\-dst\fR
.RE
.PP
\fB\-\-ip6\fR
.RS 4
add an SA for an IPv6\-in\-IPv6 tunnel from
\fIencap\-src\fR
to
\fIencap\-dst\fR
.RE
.PP
\fB\-\-src\fR
.RS 4
specify the source end of an IP\-in\-IP tunnel from
\fIencap\-src\fR
to
\fIencap\-dst\fR
and also specifies the source address of the Security Association to be used in inbound policy checking and must be the same address family as
\fIaf\fR
and
\fIedst\fR
.RE
.PP
\fB\-\-dst\fR
.RS 4
specify the destination end of an IP\-in\-IP tunnel from
\fIencap\-src\fR
to
\fIencap\-dst\fR
.RE
.PP
\fB\-\-del\fR
.RS 4
delete the specified SA
.RE
.PP
\fB\-\-clear\fR
.RS 4
clears the table of
\fBSA\fRs
.RE
.PP
\fB\-\-help\fR
.RS 4
display synopsis
.RE
.PP
\fB\-\-version\fR
.RS 4
display version information
.RE
.SH "EXAMPLES"
.PP
To keep line lengths down and reduce clutter, some of the long keys in these examples have been abbreviated by replacing part of their text with ``\&.\&.\&.\'\'\&. Keys used when the programs are actually run must, of course, be the full length required for the particular algorithm\&.
.PP
\fBipsec spi \-\-af inet \-\-edst gw2 \-\-spi 0x125 \-\-proto esp \e\fR

\fB \-\-src gw1 \e\fR

\fB \-\-esp 3des\-md5\-96 \e\fR

\fB\ \&\ \&\ \&\-\-enckey\ \&0x6630\fR\&.\&.\&.\fB97ce\ \&\e\fR

\fB \-\-authkey 0x9941\fR\&.\&.\&.\fB71df\fR
.PP
sets up an SA from
\fBgw1\fR
to
\fBgw2\fR
with an SPI of
\fB0x125\fR
and protocol
\fBESP\fR
(50) using
\fB3DES\fR
encryption with integral
\fBMD5\-96\fR
authentication transform, using an encryption key of
\fB0x6630\fR\&.\&.\&.\fB97ce\fR
and an authentication key of
\fB0x9941\fR\&.\&.\&.\fB71df\fR
(see note above about abbreviated keys)\&.
.PP
\fBipsec spi \-\-af inet6 \-\-edst 3049:9::9000:3100 \-\-spi 0x150 \-\-proto ah \e\fR

\fB \-\-src 3049:9::9000:3101 \e\fR

\fB \-\-ah hmac\-md5\-96 \e\fR

\fB\ \&\ \&\ \&\-\-authkey\ \&0x1234\fR\&.\&.\&.\fB2eda\ \&\e\fR
.PP
sets up an SA from
\fB3049:9::9000:3101\fR
to
\fB3049:9::9000:3100\fR
with an SPI of
\fB0x150\fR
and protocol
\fBAH\fR
(50) using
\fBMD5\-96\fR
authentication transform, using an authentication key of
\fB0x1234\fR\&.\&.\&.\fB2eda\fR
(see note above about abbreviated keys)\&.
.PP
\fBipsec spi \-\-said tun\&.987@192\&.168\&.100\&.100 \-\-del \fR
.PP
deletes an SA to
192\&.168\&.100\&.100
with an SPI of
\fB0x987\fR
and protocol
\fBIPv4\-in\-IPv4\fR
(4)\&.
.PP
\fBipsec spi \-\-said tun:500@3049:9::1000:1 \-\-del \fR
.PP
deletes an SA to
\fB3049:9::1000:1\fR
with an SPI of
\fB0x500\fR
and protocol
\fBIPv6\-in\-IPv6\fR
(4)\&.
.SH "FILES"
.PP
/proc/net/ipsec_spi, /usr/local/bin/ipsec
.SH "SEE ALSO"
.PP
ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8), ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_spi(5)
.SH "HISTORY"
.PP
Written for the Linux FreeS/WAN project <\m[blue]\fBhttp://www\&.freeswan\&.org/\fR\m[]> by Richard Guy Briggs\&.
.SH "BUGS"
.PP
The syntax is messy and the transform naming needs work\&.
